A new supply chain worm is actively targeting the npm ecosystem, with a research team identifying at least 19 malicious npm packages designed to steal developer and CI/CD secrets and automatically spread across repositories and workflows.
The campaign, tracked as SANDWORMMODE, uses typosquatted npm packages and poisoned GitHub Actions to infect both developer machines and CI pipelines.
The attackers impersonated popular Node.js utilities and AI coding tools using two npm publisher aliases.
The malicious packages appear normal and keep their expected functionality. However, once imported, they secretly execute a multi-stage JavaScript payload.
As soon as a developer runs npm install, the malware activates. It immediately steals sensitive data, including npm and GitHub tokens, environment variables, crypto keys, and other secrets.
In CI environments, the worm bypasses built-in delays, so the full attack, including data theft and propagation, runs instantly. This makes routine dependency installation a major risk point.
Shai-Hulud vs SANDWORM_MODE Worm Features:
| Theme | Earlier Shai-Hulud Worm | SANDWORM_MODE Variant |
|---|---|---|
| How it spreads (entry point) | Used malicious npm packages | Used fake (typosquat) npm packages that look like real tools |
| Who it targets | Developers and CI systems | Specifically targets developers and CI; pretends to be trusted packages |
| When it runs | Runs during normal package use | Runs when imported, but still works like a normal library |
| Structure | Multi-stage (loader + payload) | Multi-stage with encrypted second stage |
| Obfuscation | Hides code with runtime tricks | Uses Base64, compression, XOR, AES encryption to hide payload |
| What it steals | Developer and CI credentials | npm/GitHub tokens, env secrets, .npmrc creds, password managers |
| How it sends data out | Works even in restricted networks | Uses GitHub API, DNS tunneling, and HTTPS endpoints |
| How it spreads further | Uses stolen npm/GitHub accounts | Modifies repos, injects package.json, lockfiles, workflows |
| CI attacks | Uses CI to spread | Injects malicious workflows and steals secrets |
| Destructive feature | Optional destructive mode | Wipes home directory if GitHub + npm access are lost |
| Operator control | Configurable settings | Many SANDWORM_* environment variable controls |
| Theme/branding | Dune/sandworm naming | Uses SANDWORM_* themed switches |
| Persistence | Different methods | Uses git hooks so new repos inherit infection |
| Backup spreading method | Not always highlighted | Uses SSH if API spreading fails |
| AI tool targeting | Not a major focus | Targets AI tools (Claude, Cursor, VS Code), injects configs |
| Self-rewriting | Not emphasized | Can rewrite itself using local Ollama (if enabled) |
How the Worm Steals Data
The attack works in multiple stages:
| Stage | Activity | Details |
|---|---|---|
| Stage 1 – Fast Secret Harvesting | Initial Data Theft | Scans .npmrc files, environment variables, configuration files, and crypto wallets. |
| Stage 1 – Fast Secret Harvesting | Exfiltration | Sends discovered secrets to a remote server via a Cloudflare Worker endpoint. |
| Stage 2 – Deep Harvesting | Extended Data Collection | Searches password managers, local SQLite databases, and wallet files for additional sensitive data. |
| Stage 2 – Deep Harvesting | Exfiltration Method | Transfers stolen data over HTTPS, with DNS tunneling as a fallback method. |
The worm uses stolen npm and GitHub credentials to continue spreading. If GitHub API access fails, the malware switches to an SSH fallback method.
It abuses the victim’s SSH agent to clone repositories, insert the carrier dependency, and push changes under the victim’s identity.
The campaign also includes a weaponized GitHub Action called ci-quality/code-quality-check. It pretends to run a normal quality check but actually steals CI secrets and continues the propagation process.
ci-quality/code-quality-check mimics a Node.js code quality Action( source : socket)Supply Chain Worm Propagation Methods:
| Action | Description |
|---|---|
| Credential Abuse | Uses stolen npm and GitHub credentials to continue spreading. |
| Package Republishing | Republishes infected versions of popular packages. |
| Carrier Injection | Adds a hidden “carrier” dependency into accessible repositories via the GitHub API. |
| File Modification | Alters package.json and lockfiles to include malicious changes. |
| Workflow Injection | Adds malicious GitHub workflows to compromised repositories. |
| Auto-Merge Attempts | Tries to auto-merge pull requests to make changes appear legitimate. |
The worm also targets AI coding tools. It installs a rogue MCP server into configurations for tools like Claude Code, Cursor, and VS Code extensions.
It uses hidden prompt injection instructions to trick AI assistants into reading SSH keys, cloud credentials, and tokens, then sending them to the attacker’s server.
It even checks for API keys from multiple major LLM providers, turning infected systems into large-scale credential harvesting platforms.
The sample includes a disabled “dead switch” feature that could wipe a user’s home directory if the attack fails. Although not active, it shows the malware is still evolving.
The Sockets Threat Research Team urges teams to remove malicious packages, rotate secrets, audit workflows, and monitor for suspicious activity, warning that the campaign poses a serious risk to dev and CI environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
